The proposed EHDS Regulation, introduced in May 2022 by the European Commission (EC), aims to reform the existing fragmented European healthcare system through the establishment of a “digital data ecosystem”, that would regulate access for researchers and streamline the process for patients wishing to access their medical records.
The proposal has three specific objectives: (i) ensuring individuals' control over their electronic health data; (ii) setting the rules for the solutions offered on the market for health record systems and wellness applications; and (iii) allowing researchers, innovators and policy-makers to harness the health data available. For pharmaceutical and biotech companies, this could mean that a broader pool of data could become accessible for research and development purposes, as explored further below. However, as well as being able to access data, pharmaceutical and biotech companies are likely to be obliged to make available their own medical research data to others via a data repository.
Rights for individuals (primary use of health data)
The draft EHDS Regulation proposes to bolster individuals’ rights to their personal electronic health data, to exist alongside the access and data portability rights that exist under the GDPR.
Individuals would, for example, now also have the rights to insert health data in their own electronic health record and the capacity to transmit their data free of charge to a nominated third party in the health sector (currently, the GDPR requires controllers to do so only where such transfers are “technically feasible”).
Secondary use of health data
The EHDS also sets out a regime that would allow electronic health data to be further processed for a specific set of ‘secondary use’ purposes, such as development and innovation activities. “Data holders” (which broadly includes all entities in the health or care sector, or those performing research in relation to these sectors) would be required to allow access to certain categories of data, ranging from pathogen genomic data to health-related administrative data, such as reimbursement data. However, access may only be granted where the intended purpose for processing satisfies Article 34(1) of the Regulation, which includes the following research and development focused criteria:
- activities for reasons of public interest in the area of public and occupational health;
- to produce national/multi-national official statistics related to health or care sectors;
- education or teaching activities in health or care sectors;
- scientific research related to health or care sectors;
- development and innovation activities contributing to public health or social security, or ensuring high levels of quality and safety of health care, medicinal products or medical devices;
- training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices; and
- providing personalised healthcare consisting of assessing, maintaining or restoring the state of health of individuals, based on the health data of other individuals.
There are also a number of proposed specific prohibited uses of the data, including advertising or marketing towards health professionals or use of the data for the purpose of tailoring insurance premiums.
Secondary use of health data would require the data “re-user” to lodge an application for access, which would then need to be assessed by the competent health data access body in charge of delivering the permission to access the data. It has been proposed that the amount of these fees charged by the data holder must be transparent, proportionate and “must not restrict competition”. Further, where access is granted, the data must be transferred in an anonymised format unless the applicant’s purpose cannot be achieved by processing anonymised data, in which case pseudonymised data may be provided following consideration of the reasoning for requiring such access.
When will it come into force?
The EC is hoping that by the end of its current mandate on 31 October 2024, the legislative process will be completed, with the EHDS becoming operational in 2025.
However, there is uncertainty regarding interpretation of the proposed Regulation and over the protections it provides. In particular, there are question marks around how the secondary use concept will sit alongside the GDPR, under which a legal basis is required for data users to process health data for secondary uses. Other concerns raised involve security and how the proposal will support the functionality of secure processing environments, as well as the protection of intellectual property rights within insights generated and what measures will be implemented to protect the rights of data holders when providing data.
It is undeniable that the EHDS has the potential to generate significant opportunities for the pharmaceutical and biotech sector. However, the legislative procedure is in its early stages and such issues would need to be considered further by the European Parliament and Council of Ministers, in the hope of addressing the concerns with the original proposal and implementing guidance around the existing areas of uncertainty with the EHDS.